How to encrypt specfic source/destination pairs over WAN?

GW M · ‎03-26-2013

I have a requirement to encrypt specific client sessions to a particular host server over our WAN transport. Currently, we have a single WAN connection between two sites, which is running OSPF. The customer would like us to encrypt a specific source to destination pairs between the sites. Is there a way to do this while still using OSPF between the two sites as the primary routing protocol? Can we implement a VTI tunnel with OSPF and route map the specific source destinations pairs down the encrypted tunnel while allowing all other traffic to OSPF route natively (wo/encryption) over the WAN between the sites?

Thanks

GM

Richard Burts · ‎03-26-2013

GM

I do not think that VTI would be a good solution for you because if you run OSPF through the VTI tunnel then all traffic will flow through the VTI tunnel and one of the primary things about the VTI tunnel is that it encrypts all traffic going through the tunnel.

But I think that the traditional IPSec connection with crypto map may very well do what you want it to do. You would configure IPSec with the traditional ISAKMP policies etc and a crypto map. You apply the crypto map to the outbound physical interface. OSPF runs on the interface and not through the IPSec connection. In the crypto map you reference an access list. The access list identifies the particular source destination addresses whose traffic should be encrypted. So traffic that does match the crypto map is encrypted and sent out the interface and traffic that does not match the access list is sent out the interface unencrypted.

HTH

Rick

HTH

Rick

GW M · ‎03-27-2013

Thank you. I will give it a try and let you know.